Article ID: 2028634 - View products that this article applies to.
A hotfix rollup package (build 4.0.3547.2) is available for Microsoft Forefront Identity Manager (FIM) 2010. The hotfix rollup package resolves some issues and adds some features that are described in the "More Information" section.
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Website:
http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
PrerequisitesTo apply this hotfix, you must have Forefront Identity Manager (FIM) 2010 installed.
Registry informationTo use the hotfix, you do not have to change the registry.
Restart requirementYou must restart the computer after you apply this hotfix.
Hotfix replacement informationThis hotfix does not replace a previously released hotfix.
File informationThe global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Collapse this tableExpand this table
Component update file information
Component update packagesThe following table contains the component update packages that are available for download.
Collapse this tableExpand this table
Fixed issues in Certificate Management
Issue 1The FIM 2010 Certificate Manager (CM) auto enroll policy module cannot be used with Cluster CA when database replication is enabled.
This issue occurs because the database connection is encrypted by using data protection API (DPAPI). When the database is replicated to another node, the connection cannot be decrypted.
Issue 2The requests that are submitted by the Online Update Service cannot update the target attribute in Active Directory.
Issue 3The certificate template object identifier (also known as OID) that is specified in an external online update request is ignored in the FIM 2010 CM. Then, when online update requests are submitted externally, all certificates are updated. This issue occurs even if the policy settings dictate that the initiator selects which certificate to update and a certificate OID is specified in the construction of the external request.
Fixed issues in Declarative Provisioning
ssue 1When a structural class or auxiliary class is added to an object in a connected system, the attributes associated with the class are not displayed in the Synchronization Rule user interface.
Fixed issues in Sync Engine
Issue 1By default a run stops after 5000 errors.
This hotfix changes the behavior so that warnings do not count against the error limit.
Issue 2A Sun ONE Directory may write a delta change log inconsistently. The Sync Engine detects this state and throws the “stopped-change-log-out-of-order” error. Additionally, it requires a full import before a delta import can be run again on the Sun One Management Agent (MA).
Issue 3The Active Directory Management Agent (AD MA) incorrectly reports "success" for a newly provisioned user on which the password policy is not met. This issue results in an "exported-change-not-reimported" warning during the next import because Active Directory would correctly disable the user.
Issue 4If you have a CaseSensitiveString attribute in Active Directory, the attribute type is not correctly detected and cannot be configured in Declarative Provisioning.
Issue 5When you try to create a new eDirectory MA that connects to an eDirectory 8.8, you receive the following error message:
The issue occurs because the eDirectory 8.8 is not detected correctly after the eDirectory schema is extended. For example, the eDirectory 8.8 is not detected correctly after you add the SecureLogin type in the schema. .
The management agent run was ended as there were unspecified agent errors.
Issue 6When a calculated group is imported from the FIM Service MA and has static members added because of misconfiguration, Sync Engine crashes. Therefore, a placeholder takeover occurs without any object type set.
Issue 7The AD MA does not have a check box to enable an account to be unblocked when a password is synchronized.
Issue 8GALSync cannot recognize the new Exchange Dynamic Distribution List type.
Issue 9When you perform a search for an object in a connector space for an Export-only ECMA, you receive the following error message:
Image or delta does not have an anchor.
Issue 10If you configure synchronization rules and set dependencies between them after initial configuration, you can end up in a situation where configuration from before the dependency was set is still being applied and objects are disconnected.
With this hotfix the Synchronization Service does not process those settings.
Issue 11The FIM MA cannot be created when metaverse attributes have a hyphen character ( - ) in their name and the database is upgraded from Identity Lifecycle Manager (ILM) 2007 or Identity Integration Server (MIIS) 2003 Service Pack 2 (SP2).
Issue 12The Exchange Serer 2010 PowerShell cmdlets causes the FIM Sync Service to crash when the cmdlets time out.
In order to prevent external applications from causing issues to the FIM Sync Service, the cmdlets now run in an external process after you apply the hotfix.
Issue 13When you define scoping filters by using declarative provisioning, the filter is always evaluated to "false" if an attribute value is missing. This issue makes it difficult to construct filters by using clauses that contains "not" to try to catch bad data.
After you apply the hotfix, an attribute that contains no value (null) is evaluated as if the attribute is an empty string.
Fixed issues in Workflow Engine
Issue 1During FIM startup, a single failure to create an instance of the WorkflowServiceHost class can cause other workflows not to be re-hydrated. This behavior may cause workflows being stuck in the PostProcessing stage.
Issue 2When you create an object that depends on one or more other objects, the Configuration Migration tool may not map references to objects in the target system.
Features in Sync Engine
Feature 1A limited set of PowerShell cmdlets are added to allow you to perform some limited editing of the Sync Service configuration.
For more information about these PowerShell cmdlets, visit the following Microsoft Website:
General information about PowerShell cmdlets that let you edit the Sync Service configuration
Feature 2The hotfix improves the performance when an object is joined to several management agents, with an average of 10% better performance rate for 5 management agents.
Feature 3When you import from Active Directory, you must have been granted the DirSync permission. If you have at least a Windows Server 2003 Domain Controller that you can target, you can take advantage of a new feature that uses usual access control lists (ACLs) in Active Directory and does not require DirSync permissions. By setting the ADMAUseACLSecurity registry key, the AD MA uses AD ACLs instead.
For more information about the registry settings for FIM 2010, visit the following Microsoft TechNet website:
General information about the registry settings for FIM 2010If you enable the ADMAUseACLSecurity registry key, make sure that the account that is used by the AD MA has read permissions to all locations. By default, a regular user has read permissions to all objects except deleted objects. If an object cannot be read any longer it is treated as a deleted object.
Feature 4Assume that you are developing a call-based extensible connectivity management agent (ECMA). You expect that the MA will continue exporting the same change until the change is confirmed by an import. Then, when you have an unreliable target for the data, the data might not be committed successfully even if the call returns success. You will notice this during a delta import on which the information that you read back is not what you sent.
To enable this behavior on the ECMA, you can set the ECMAAlwaysExportUnconfirmed registry key. For more information about the registry key, visit the following Microsoft TechNet website:
General information about the ECMAAlwaysExportUnconfirmed registry key
Feature 5The hotfix changes the eDir MA so that the MA enables connection to any 8.x version without the requirement to add a registry key.
Features in User InterfaceThis hotfix rollup package updates localization for strings that are changed in FIM 2010 Update 1 (version 4.0.3531.2).
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Contact us for more help
Connect with Answer Desk for expert help.